All geek questions in one place

Need help Debugging SSL handshake in tomcat

I have a very strange problem and search for some tips. I have a certificate sent by a client that I need to install so that I can access the HTTPS web service. The certificate was installed on both Windows and Linux. using the keytool command

keytool -import -alias ca -file somecert.cer -keystore cacerts –storepass changeit

when I deploy my application on windows tomcat, I can communicate with the HTTPS web server. However, Linux tomcat also gives me an error:

Throws: sun.security.provider.certpath.SunCertPathBuilderException: could not find a valid certification path for the requested target in sun.security.provider.certpath.SunCertPathBuilder.engineBuild (SunCertPathBuilder.java:236) in java.securityPathubertCcert.cert.bert.bert.bert.bert.bert (CertPathBuilder.java:194) in sun.security.validator.PKIXValidator.doBuild (PKIXValidator.java:216)

This means that he could not find certifcate. The certificate is located at jaca security cacerts. I used the keytool -list , and it is.

I have no idea why it works on Windows and not Linux. I tried to set the parameters in the Server

 System.setProperty("javax.net.debug", "all"); System.setProperty("javax.net.ssl.trustStore", "/usr/java/jdk1.5.0_14/jre/lib/security/cacerts"); System.setProperty("javax.net.ssl.trustStorePassword", "changeit");

It still does not work.

My questions:

1. Anyone have an idea why this does not work, am I all tired?

2.How do you use enbale SSL debugging to configure tomcat.Ss System.setProperty("javax.net.debug", "all") works? For some reason, I don't see any SSL debugging information in Catalina.out. Do I need to change anything. What debugging information I should see.

Any help is very helpful. I am out of ideas.

0
source share
2 answers

To solve this problem you can try the following

Download SSLPoke.java from Google

SSLPoke.java

Compile it:

 javac SSLPoke.java

Once you compile the SSLPoke code call as

 java -Djavax.net.debug=all SSLPoke [your https host] 443

In the output, you will see where java is looking for cacerts.

Once you know the exact location, use keytool to import your file into cacerts

 keytool -import -alias [your https host] -keystore [the location returned]/cacerts -file [your.crt]

And that’s it, restart tomcat and it should work correctly.

Several times when you have many versions of java on the same Linux machine, even adding [your.crt] to cacerts returned by debug does not work, if so, add [your.crt] to all cacerts on Linux you can find everything:

 locate cacert

as soon as the Linux machine returns all cacerts locations, for example:

 /home/xuser/NetBeansProjects/porjectx/conf/cacerts /opt/otherlocation/j2sdkee1.3.1/lib/security/cacerts.jks /opt/icedtea-bin-6.1.12.7/jre/lib/security/cacerts /opt/icedtea-bin-6.1.13.5/jre/lib/security/cacerts /opt/icedtea-bin-7.2.4.1/jre/lib/security/cacerts /opt/oracle-jdk-bin-1.7.0.76/jre/lib/security/cacerts /opt/sun-j2ee-1.3.1/lib/security/cacerts.jks

add [your.crt] to all of them with keytool and restart tomcat.

If you do not have your.crt file, you can get it with the command

openssl s_client -connect [your https host]:443 < /dev/null

and copy from ----- BEGIN CERTIFICATE ----- ----- END OF CERTIFICATE -----

I hope this helps you

+2
source

Have you checked the certificate itself to verify that there are no root certificates in the certificate path?

Also, keep in mind that if you point to the built-in Java cacerts and you upgrade to Java, your certificate will be overwritten. For this reason, I usually use an alternative keystore location.

0
source

Source: https://habr.com/ru/post/971175/

More articles:


All Articles